AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2021-37647: TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determ

highvulnerability

security

Source: NVD/CVE DatabaseAugust 12, 2021CVE-2021-37647

Summary

TensorFlow (an open source platform for machine learning) has a vulnerability where the `tf.raw_ops.SparseTensorSliceDataset` function can crash by trying to access memory that doesn't exist (null pointer dereference) when a user provides incomplete arguments for a sparse tensor (a data structure optimized for data with many zero values). The bug occurs because the code doesn't properly validate the case when one part of the sparse tensor is empty but the other part is provided.

Solution / Mitigation

The issue has been patched in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7. The fix will be included in TensorFlow 2.6.0, and will also be backported to TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4.

Vulnerability Details

CVSS Score

7.7(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Impact (CIA+S)

availabilityintegrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-476

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-37647

First tracked: February 15, 2026 at 08:39 PM

Classified by LLM (prompt v3) · confidence: 95%